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Abstract. We present a new method for the constraint-based synthesis of termination 
arguments for linear loop programs based on linear ranking templates. Linear ranking 
templates are parameterized, well-founded relations such that an assignment to the pa¬ 
rameters gives rise to a ranking function. Our approach generalizes existing methods and 
enables us to use templates for many different ranking functions with affine-linear compo¬ 
nents. We discuss templates for multiphase, nested, piecewise, parallel, and lexicographic 
ranking functions. These ranking templates can be combined to form more powerful tem¬ 
plates. Because these ranking templates require both strict and non-strict inequalities, we 
use Motzkin’s transposition theorem instead of Farkas’ lemma to transform the generated 
3V-constraint into an 3-constraint. 


1. Introduction 


The scope of this work is the constraint-based synthesis of termination arguments. In our 
setting, we consider linear loop programs, which are specified by a boolean combination of 
affine-linear inequalities over the program variables. This allows for both, deterministic and 
non-deterministic updates of the program variables. An example of a linear loop program 
is given in 


Figure 1 


Usually, linear lasso programs do not occur as stand-alone programs. Instead, they are 
used as a finite representation of an infinite path in a control flow graph. For example, in 
(potentially spurious) counterexamples in termination analysis ICPROfli IBCF131 iHLNRIOl 
lKST + 08l IKSTWIOl IPR04bl IPR051 IHHP14| , non-termination analysis [GHM+08] , stability 
analysis [CFKPlll IPW07] , or cost analysis [AAGPlll IGZ10] . 
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while (q > 0 ) : 
q := q-y, 

y ■= y + i; 


q > 0 

A q' = q~y 
A y' = y + 1 


Figure 1: 


A linear loop program given as program code (left) and as a formula defining a 
binary relation (right). 


We introduce the notion of linear ranking templates (jSection 3D . These are parameter¬ 
ized relations specified by linear inequalities such that any assignment to the parameters 
yields a well-founded relation. This notion is general enough to encompass all existing 
methods for linear loop programs that use constraint-based synthesis of ranking functions 
of various kinds Isee ISection 81 for an assessment). Moreover, ours is the first method for 
synthesis of lexicographic ranking functions that does not require a mapping between loop 
disjuncts and lexicographic components. 

In this paper we present the following linear ranking templates. 


• The multiphase ranking template specifies a ranking function that proceeds through a 
fixed number of phases in the program execution. Each phase is ranked by an affine- 
linear function; when this function becomes non-positive, we move on to the next phase 
(ISubsection 4.1|) . We call such a ranking function a multiphase ranking function. 

• The nested ranking template specifies a ranking function that is a special case of a multi¬ 
phase ranking function (ISubsection 4.2j) . In contrast to the multiphase ranking template, 
the nested ranking template requires only linear constraint solving. 

• The piecewise ranking template specifies a ranking function that is a piecewise affine-linear 
function with affine-linear predicates to discriminate between the pieces (jSubsection 4.3p . 

• The lexicographic ranking template specifies a lexicographic ranking function that corre¬ 
sponds to a tuple of affine-linear functions together with a lexicographic ordering on the 
tuple (jSubsection 4.41) . 

• The parallel ranking template targets programs that have to complete a finite number of 
independent tasks with no predetermined order (ISubsection 4.5D . 


Furthermore, our linear ranking templates can be used as a ‘construction kit’ for com¬ 
posing linear ranking templates that enable more complex ranking functions (jSection 5jl . 
Thus, variations on the linear ranking templates presented here can be used and completely 
different templates could be conceived. 

Our method is described in ISection til and can be summarized as follows. The input 
is a linear loop program as well as a linear ranking template. From these we construct 
a constraint on the parameters of the template. This constraint is a quantified nonlinear 
SMT formula. With IMotzkin’s theoreml |Sch99j we transform the constraint into a purely 
existentially quantified constraint. This 3-constraint is then passed to an SMT solver which 
checks its satisfiability. A positive result implies that the program terminates. Furthermore, 
a satisfying assignment yields a ranking function, which constitutes a termination argument 
for the given linear loop program. 

Related approaches invoke Farkas’ lemma for the transformation into 3-constraints 
[ADFG101 IBMSOBal IBMSOBbl ICSS03I IHHLP131 IPR04al |Rybl()[ ISSM04] . Several of our 
ranking templates contain both strict and non-strict inequalities, yet only non-strict in¬ 
equalities can be transformed using Farkas’ lemma. We solve this problem by introducing 
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the use of Motzkin’s Transposition Theorem a generalization of Farkas’ lemma. As a side 
effect, this also enables both strict and non-strict inequalities in the program syntax. To 
our knowledge, all of the aforementioned methods can be extended to programs with strict 
inequalities if IMotzkin’s theoreml is applied instead of Farkas’ lemma. 

Our method is complete in the following sense. If there is a ranking function of the 
form specified by the given linear ranking template, then our method will discover this 
ranking function. In other words, the existence of a solution is never lost in the process of 
transforming the constraint. 

In contrast to some related methods (HHLP131 lPR04aj the constraint we generate 
is not linear, but rather a nonlinear algebraic constraint. Theoretically, this constraint 
can be decided in exponential time |GV88j . Much progress on nonlinear SMT solvers has 
been made and present-day implementations routinely solve nonlinear constraints of various 
sizes [JM12| . 

A related setting to linear loop programs are linear lasso programs (see |Figure 3 ). These 
consist of a linear loop program and a program stem, both of which are specified by boolean 
combinations of affine-linear inequalities over the program variables. Our method can be 
extended to linear lasso programs through the addition of affine-linear inductive invariants, 
analogously to related approaches |BMS05a'l ICSS031IHHLP131ISSM04] (jSection 7j) . 

In this work, we consider variables with values in the rational or real numbers. Our 
method can be applied directly to integer programs, but in this case our completeness result 
does not hold. However, if we compute the integral hull of transition relations analogously 
to [CKRW1 31 [HHT/P13] . we obtain the same completeness result for integer-valued linear 
loop programs as for rational- and real-valued linear loop programs. 

This journal article is an extension of a conference paper |LH14j . In the conference 
paper, we introduced the notion of ranking templates and showed how to solve them using 
Motzkin’s theorem (IScction 41 and [Section 61) . We discussed the multiphase, the piecewise, 
and the lexicographic ranking template. The main additions in this article are the nested 
and parallel ranking template, the composition of ranking templates, and the extension of 
our method to linear lasso programs, as well as additional examples. 


2. Preliminaries 

In this paper we use IK to denote a field that is either the rational numbers Q or the real 
numbers R. 

2.1. Set Theory. We use the the following notions from set theory [Jec06j . A set X is 
transitive iff every element of X is a subset of X. A relation R C X x X is well-founded iff 
every non-empty subset of X has an R-minimal element. 

Definition 2.1 (Ordinal Number [,Tec06 , Def. 2.10]). A set a is an ordinal number (an 
ordinal ) iff it is transitive and £ (‘element-of’) is a well-founded total order on a. 

The ordinal numbers are a method of counting ‘beyond infinity’. The smallest ordinal 
is the empty set, and for every ordinal a there is a unique successor ordinal a U {a}. The 
finite ordinals coincide with the natural numbers, therefore we use them interchangeably. 
The smallest infinite ordinal is denoted by uj. Ordinals can be added, multiplied and 
exponentiated, but in general these operations are not commutative. 

We use the following theorem which allows us to define functions recursively. 
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Theorem 2.2 (Recursion Theorem [Jec06l . Thm. 6.11]). Let R be a well-founded relation 
on the set X and let G be a function on sets. Then there is a unique function F with 
domain X such that for every x £ X, 

F(x) = G{x,F\ {zeX{{z!x)eR} ), 

where F\y is the restriction of the function F to the domain Y. 


2.2. Linear Loop Programs. In this work, we consider programs that consist of a single 
loop. We use binary relations over the program’s states to define its transition relation. 

We denote by x the vector of n variables ( x\ , ..., x n ) T £ lK n corresponding to program 
states, and by x' = {x\ ,. .., x' n ) T £ lK n the variables of the next state. 

Definition 2.3 (Linear Loop Program). A linear loop program loop(x, x') is a binary 
relation defined by a formula with the free variables x and x’ of the form 

V {Ai&) <bi A a&) < di) 

iei 

for some finite index set /, some matrices A % £ ]f£ 2nxmi , (J i £ K 2nxfci , and some vectors 
bi £ and di £ K. ki . The linear loop program loop ( x , x / ) is called conjunctive iff there 
is only one disjunct, i.e., ffl = 1. 

Geometrically the relation loop corresponds to a union of convex polyhedra. 

Definition 2.4 (Termination). A linear loop program loop(x, x') terminates iff the relation 
loop(x, x') is well-founded. 

In general, the termination of linear loop programs is undecidable because linear loop 
programs can be used to simulate counter machines. An undecidability proof for the ter¬ 
mination of linear lasso programs is given in (Leil3l Thm. 3.18]. 

Example 2.5. Consider the following program code. 

while (q > 0): 
if (y> 0): 

q ■= q-y- 1 ; 
else : 

q := q + y-1; 

We represent this code using the following linear loop program: 

(g>0 A y> 0 A y = y A q = q-y - 1) 

V (g > 0 A y < 0 A y =y A q = q + y — 1) 

This linear loop program is not conjunctive. Furthermore, there is no infinite sequence of 
states xq,xi,... such that for all i > 0, the two successive states (xi,Xi+i) are contained 
in the relation loop. Hence the relation loop(x,x') is well-founded and the linear loop 
program terminates. We note that this linear loop program does not have a linear ranking 
function. However, termination of this program can be proven using ranking functions that 
we present in ISubsection 4.11 and in ISubscction 4.21 0 
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3. Ranking Templates 

A ranking template is a template for a well-founded relation. More specifically, it is a 
parameterized formula defining a relation that is well-founded for all assignments to the 
parameters. If we show that a given program’s transition relation loop is a subset of an 
instance of this well-founded relation, it must be well-founded itself and thus we have a 
proof for the program’s termination. Moreover, an assignment to the parameters of the 
template gives rise to a ranking function. In this work, we consider ranking templates that 
can be encoded with linear arithmetic. 

We call a formula whose free variables contain x and x' a relation template. Each 
free variable other than x and x' in a relation template is called parameter. Given an 
assignment n to all parameter variables of a relation template t(x,x'), the evaluation p(t) 
is called an instantiation of the relation template T. We note that each instantiation of a 
relation template t(x, x') defines a binary relation. 

When specifying templates, we use parameter variables to define affine-linear functions. 
For notational convenience, we write f(x ) instead of the term sjx + tf, where sj £ K n and 
tf € K are parameters. We call / an affine-linear function symbol. 

Definition 3.1 (Linear Ranking Template). Let t(x, x') be a relation template with param¬ 
eters D and affine-linear function symbols F that can be written as a boolean combination 
of atoms of the form 

(“/ ' /( x ) + ' /( x 0 ) + ^2 75 ' 5 > °’ 
f&F 5&D 

where £ K are constants and O £ {>,>}. We call T a linear ranking template 

over D and F iff every instantiation of T defines a well-founded relation. 

Example 3.2. We call the following template with parameters D = {4} and affine-linear 
function symbols F = {/} the PR ranking template |PR04aj . 

5 > 0 A f{x) > 0 A f(x') < f(x) — 6 (3.1) 

In the remainder of this section, we introduce a formalism that allows us to show that every 
instantiation of the PR ranking template defines a well-founded relation. Let us now check 
the additional syntactic requirements for (13.11) to be a linear ranking template: 

<5 > 0 = (0 • f(x) + 0 • /( x')) + 1 • 5 > 0 

f(x) >0 = (1 • f(x) + 0 • f{x')) + 0 • 5 > 0 

f(x') < f(x) -6 = (1 • f(x) + (-1) • /(a/)) + (-1) • S > 0 0 

The next lemma states that we can prove termination of a given linear loop program 

by checking that this program’s transition relation is included in an instantiation of a linear 
ranking template. 

Lemma 3.3 (Termination). Let loop be a linear loop program and let T be a linear ranking 
template with parameters D and affine-linear function symbols F. If there is an assignment 
v to D and F such that the formula 

Vx,x r . (loop(x, x') —>■ u(t)(x, x')) (3.2) 

is valid, then the program loop terminates. 

Proof. By definition, zz(t) is a well-founded relation and (13.2j) is valid iff the relation loop 
is a subset of z/(t). Thus loop must be well-founded. □ 
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In order to establish that a relation template which is conforming to the syntactic 
requirements is indeed a ranking template, we have to show that each instantiation of the 
relation template is well-founded. According to the following lemma, we can do this by 
showing that each assignment to D and F gives rise to a ranking function. A similar 
argument was given in |BA09] ; we provide a significantly shortened proof by use of the 
IRecursion Theorem! along the lines of (Jec06l Ex. 6.12], 

Definition 3.4 (Ranking Function). Given a binary relation R over a set E, a function 
p from E to some ordinal a is a ranking function for R iff for all x,x' £ E the following 
implication holds. 

(x,x') € R => p{x) > p(x') 

Lemma 3.5 (Existence of Ranking Functions). A binary relation R is well-founded if and 
only if there exists a ranking function for R. 


Proof. Let p be a ranking function for R. The image of a sequence decreasing with respect 
to R under p is a strictly decreasing ordinal sequence. Because the ordinals are well-ordered, 
this sequence cannot be infinite. 

Conversely, the graph G = (E, R) with vertices E and edges R is acyclic by assumption. 
Hence the function p that assigns to every element of E an ordinal number such that 
p(x) = sup {p(x') +1 | (x, x') € i?} is well-defined and exists due to the IRecursion Theorem! 

□ 


Example 3.6. Consider the terminating linear loop program loop from Example 2.5 
ranking function for LOOP is p : R 2 —> ui, defined as follows. 


p(q,y) 


IYI, if q > 0, and 
0 otherwise, 


where [■] denotes the ceiling function that assigns to every real number r the smallest 
natural number that is larger or equal to r. Since we consider the natural numbers to be a 
subset of the ordinals, the ranking function p is well-defined. 0 


We use assignments to a template’s parameters and affine-linear function symbols to 
construct a ranking function. These functions are real-valued and we transform them into 
ordinal-valued functions as follows. 


Definition 3.7 (Ordinal Ranking Equivalent). Given an affine-linear function / and a real 
number 5 > 0 called the step size, we define the ordinal ranking equivalent of / as 

if f(x) > 0, and 
I 0 otherwise. 

Our notation does not explicitly refer to 5 to increase readability. In our presentation 
the step size 5 is always clear from the context in which an ordinal ranking equivalent / is 
used. 



Example 3.8. Consider the linear loop program loop(x, x') from Example 2.5. For 6 = 1/2 
and f(q) = q + 1, the ordinal ranking equivalent of / with step size 5 is 


f(q,y) = 


|"2(<7 + 1)], if q + 1 > 0, and 
0 otherwise. 


0 















RANKING TEMPLATES FOR LINEAR LOOPS 


7 


The assignment from Example 3.8 to 5 and / makes the implication (13.21) valid. In order 


to invoke [Lemma 331 to show that the linear loop program given in Example 2.5 terminates, 
we need to prove that the PR ranking template is a linear ranking template. We use the 
following technical lemma. 


Lemma 3.9 (Well-Foundedness of Ordinal Ranking Equivalents). Let f be an affine-linear 
function of step size 6 > 0 and let x and x' be two states. If f(x)> 0 and f(x) — f(x') > 5, 
then f(x) > 0 and f(x) > fix'). 

Proof. From f(x) > 0 follows that f{x) > 0. Therefore f{x) > f{x') in the case fix') = 0. 
For f(x') > 0, we use the fact that f(x) — fix') > 5 to conclude that f(x)/5 — f(x')/5 > 1 
and hence f{x') > f(x). □ 


Corollary 3.10. The PR ranking template is a linear ranking template. 

Proof. Any assignment u to 5 and / satisfies the requirements of ILemma 3.91 Consequently, 
/ is a ranking function for v( t), and bv ILcmma 3.5l this implies that p(t) is well-founded. □ 

The goal of this paper is to use linear ranking templates to prove the termination of 
linear lasso programs, as exposed in ILemma 3.31 We defer the explanation how the 3V- 
formula (|3.2D can be transformed so that it is easier to solve to ISection ~6l The next two 
sections focus on additional examples for linear ranking templates. 


4. Examples of Ranking Templates 


4.1. The Multiphase Ranking Template. The multiphase ranking template targets 
programs that go through a finite number of phases in their execution. Each phase is 
ranked with an affine-linear function and the phase is considered to be completed once this 
function becomes non-positive. 


Example 4.1. Consider the linear loop program from Figure 1 on page[2j Every execution 
can be partitioned into two phases: first y increases until it is positive and then q decreases 
until the loop condition q > 0 is violated. Depending on the initial values of y and q, one 
or more phases might be skipped altogether. 0 


Definition 4.2 (Multiphase Ranking Template). We define the k-phase ranking template 
with parameters D = {<5i,..., 5^} and affine-linear function symbols F = {/i,..., /*,} as 
follows. 

k 

f\Si>0 (4.1) 

2—1 
k 

A \/ fi(x) > 0 (4.2) 

1=1 

A fi(x') < f\(x) — (5i (4.3) 

k 

/\ (/*(»') < fi ( x ) - 

i =2 


A 


5 i V fi - i ( x ) > 0 


(4.4) 
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We say that the multiphase ranking function given by an assignment to and 

5i,...,Sk is in phase i iff fi(x) > 0 and f-j(x) < 0 for all j < i. The condition m 
states that there is always some i such that the multiphase ranking function is in phase i. 
Conditions (I4.3j) and (14.41) state that if we are in a phase > i, then /) has to be decreasing 
by at least Si > 0. Thus we start in phase 1 and transition through the phases 2 ,k, 
possibly skipping some or all of them. 

Two special cases of the multiphase ranking template have been discussed previously 
in the literature: the 1-phase ranking template, because it coincides with the PR ranking 
template, and the 2-phase ranking template jBM13j . 

Moreover, multiphase ranking functions are related to eventually negative expressions 
introduced by Bradley, Manna, and Sipma [BMS05b] . However, in contrast to our approach, 
they require a template tree that specifies in detail how each loop disjunct interacts with 
each phase. 


Example 4.3. Consider the program from |Figurc 1 on page[2j The assignment 

h(q,y) = 1 -y, f2(g,y) = q + h $1 = 82 = l 

yields a 2-phase ranking function for this program. This program is in phase 1 iff y < 1 
and it is in phase 2 iff y > 1 and q > —1. 0 


Theorem 4.4. The k-phase ranking template is a linear ranking template. 


Proof. The £;-phase ranking template conforms to the linear ranking template’s syntactic 
requirements. Let v be an assignment to the parameters D and the affine-linear function 
symbols F of the fc-phase ranking template T/j.phase- Consider the following ranking function 
with codomain u: ■ k. 


P(x) 



i ) + fi(x ) if fj(x) < 0 for all j < i and f t (x) > 0, 
otherwise. 


(4.5) 


Let (x,x') G ^(Tfc_ p hase)- Bv ILcnima 3.51 we need to show that p(x') < p{x). From (14.21) 
follows that p(x) > 0. Moreover, there is an i such that fi{x) > 0 and fj{x) < 0 for all j < i. 
By 631 ) and (14.41) . we obtain fj(x') < 0 for all j < i, because fj(x') < fj{x)—Sj < 0 —Sj < 0, 
since ft{x) < 0 for all i < j. 

If fi(x') < 0, then p(x') < oj ■ (k — i) < u ■ (k — i) + fi(x) = p(x). Otherwise, fi(x') > 0 
and from (14.41) follows fi{x') < fi(x) — Si. Bv ILemma 3.91 fi(x) > fi{x') for the ordinal 
ranking equivalent of fi with step size Si. Hence 

p(x') =uj ■ (k-i) + fi(x') <lo ■ (k -i) + %(x) = p(x). 

Therefore ILemma 3.51 implies that ^(Tfc_ p hase) is well-founded. □ 


Does each terminating linear loop program have a multiphase ranking function if we re¬ 
strict ourselves to conjunctive linear loop programs? The following theorem gives a negative 
answer to this question. 


Theorem 4.5. The following terminating conjunctive linear loop program does not have a 
multiphase ranking function. 

a > b A b > 1 A a' = 2a A b' = 36 


(4.6) 
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Proof. The variables a and 6 are positive and grow exponentially, but b grows faster than a. 
For any input, b eventually becomes larger than a and then the loop program terminates. 

Assume the loop program (14.61) has a multiphase ranking function. Then there are 
«i, /?i, 71 , ..., ccfc, /3fc, 7 k € R such that fi(a, b) = aid + /3*6 + 7 j for all 1 < i < k. Choose 

b := max{2} u ^ | /% 7^ o| , a := max {6 + 1} U | -2/3*6, ^ | on ^ o| . 

As maxima over a finite nonempty set, a,b £ R exist uniquely and we have a > b > 1 
by construction. By setting a' = 2 a and b' = 36, we get (a, 6 , 2a, 36) € loop. Let j be 
the smallest index such that fj(a,b) > 0, which exists due to (14.21) . According to (J4.1D we 

obtain 5j > 0 and since j is minimal, we get fj(a',b') < fj(a,b ) from (14.41) ( (14.31) in case 

j = 1 ). Hence 

0 > fj(a', b') — fj(a, 6 ) = 2 ajd + 3f3jb — atja — (3jb = ajd + 2f3jb. (4.7) 

We do an exhaustive case analysis over aj and /3j, and show that all cases yield contradic¬ 
tions. Thus our assumption that there is a multiphase ranking function must be false. 

(i) aj > 0: From (14.71) and a > —2{3jb we get 

0 > ajd + 2/3jb > —2f3ib + 2/3jb = 0. 

(ii) f3j >0: From (14.7() and 6 > 7 j/j3j we get 

0 > ajd + 2f3jb > ajd + /3jb + Pjjf = /j(a, 6 ) > 0. 

(iii) aj = f5j = 0: From (|4.7I) we get 0 > ajd + 2/3y 6 = 0. 

(iv) aj < 0 and /3j < 0: From a > —'yj/aj we get 

0 < fj(d, b) = ajd + f3jb + 7 j < ajd + 7 j < + 7j = 0. 

(v) (3j < 0 and aj < 0: From 6 > — 7 j/fij we get 

0 < fj (a, 6 ) = ajd + (3jb + 7 j < (3jb + 7 j < (3j ^ + 7 j = 0. □ 

Example 4.6. Recall that we allowed our linear loop programs to have nondeterministic 
variable assignments. Because of this, the existence of a multiphase ranking function does 
not imply an upper bound on the execution time of the program. Consider the following 
linear loop program. 

(q > 0 A y > 0 A y = 0) 

V(< 7>0 A y<0 A y' = y — 1 A q ' = q — 1) 

For a given input with y > 0, we cannot give an upper bound on the execution time: after 
the first loop execution, y is set to 0 and q is set to some arbitrary value, as no restriction 
to q' applies in the first disjunct. In particular, this value does not depend on the input. 
The remainder of the loop execution then takes [g] iterations to terminate. 

However, we can prove the program’s termination with the 2-phase ranking function 
constructed from fi(q,y) = y and f 2 {q, y) = q. 0 
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4.2. The Nested Ranking Template. Like the multiphase ranking template, the nested 
ranking template targets programs that go through a fixed number of phases in their execu¬ 
tion. Again, each phase has an affine-linear ranking function, but this affine-linear function 
cannot increase by more than the value of the previous phase’s affine-linear function. Thus 
once the previous phase is finished, its value starts decreasing. 


Definition 4.7 (Nested Ranking Template). We define the k-nested ranking template with 
parameters D = {h} and affine-linear function symbols F = {/i, ..., f k } as follows. 


5 > 0 

(4.8) 

A f k (x) > 0 

(4.9) 

A < fi(x) - 5 

(4.10) 

k 

A f\ fi(x') < fi(x) + fi-i(x) 

(4.11) 


i =2 


Example 4.8. Consider the program from Figure 1 In Example 4.3 we gave an assignment 
for the 2-phase ranking template. We can use almost the same assignment 

h(q,y) = 1 - y, /2(g,y) = g + i, 8 = ^ 

to get a 2-nested ranking function for this program. 0 


The following lemma states that nested ranking functions are a special case of multi¬ 
phase ranking functions. 

Lemma 4.9 (Nested Ranking Template C Multiphase Ranking Template). For every as¬ 
signment v to the k-phase ranking template T k-phase there is an assignment v' to the k-nested 
ranking template T k _ nested such that z/ (r k _ nested ) C v(T k _ phase ) 

Proof. For a given v, we choose 

z/(J) : = v(6i), v'(fi) := v{fi) - v(8 i+1 ) i/(f k ) := v(f k ). 

We show z/(T fc _ nested ) C ^(Tfc.phase) by showing that each of (|4.8I) . (14.91) . (14.101) . and (14.111) 
with assignment v' implies (14.11) . (|4.2I) . (14.31) . and (|4.4I) with assignment n, respectively. 
This is immediate for the first three lines. For (14.111) —> (14.4|> let (x, x') and i > 1 be given 
and assume i/(/j_i)(x) < 0. We get 

v (fi)( x ') = v 'Ui)( x ') + "( S i+ 1 ) 

< v'(fi)( x> ) + v{8%+ 1) - v(fi-i)( x ) 

< v'{fi)( x ) + v\fi-i)( x ) + v(8i+i) ~ v(fi- 1)(®) 

= v(fi)i x ) + i)i x ) - v( 5 i) - v(fi-i)( x ) 

= v(fi)i x ) - 

with v(5 k+ i) := 0 for notational convenience. □ 


Theorem 4.10. The k-nested ranking template is a linear ranking template. 
Proof. Follows from [Theorem 4~4l and ILcnnna 4~9l 


□ 
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If a nested ranking function is just a special case of a multiphase ranking function, 
why are we considering it separately? The advantage of the nested template is that it 
does not contain any disjunctions. Thus, the generated constraint can be solved using only 
linear constraint solving |Leil3l Ch. 6]. In our experiments, many programs that have a 
multiphase ranking function also have a nested ranking function. Hence it is a viable and 
faster alternative to the multiphase template in practice. 

Example 4.11. The multiphase template is strictly more powerful than the nested tem¬ 
plate; consider the following loop program LOOP. 

(q > 0 V y > 0) A y ' = y — 1 A q' < q A (y < 0 —> q 1 = q — 1) 

This program has the 2-phase ranking function constructed from f\ (q. y) = y and f 2 {q, y) = 
q. Since there are no upper or lower bounds on q and y, only the constant function fi(q, y) = 
7 i can be positive for all q, y. By (14.111) if /„; is constant, then _i is positive. By induction 
we get that /i must be constant, a contradiction to (14.101) . 0 

Despite their simplicity, nested ranking templates are already quite powerful. We give 
two nontrivial examples below that each have a nested ranking function. These ranking 
functions were found automatically. 

Example 4.12 (Rotation53). Consider the following conjunctive linear loop program. 

q > 0 A q' = q + a — 1 A a' = |a — |6 A b' = |a + 

During the execution of this loop, the vector (a, b ) is rotated around 0 by the irrational 
angle arccos(3/5) « 53.13 degrees. In the long run, the contribution of a to q cancels out, 
and q decreases on average, hence the program terminates. This program has a 3-nested 
ranking function constructed from the affine-linear functions 

/i(g, a,b) =2q + a-2b, f 2 (q, a,b) = Aq + 5a, and f 3 (q, a,b) = 5q. 0 

Example 4.13 (Crazy Spirals). We can also take the previous example to more extremes; 
consider the following conjunctive linear loop program. 

q > 0 Aq = q + a — 1 A a' = 3a — 5b + cAb 1 = 12 a + 3b A d = 3c — Ad A d! = 4c + 3d 

During program execution, the vector (c, d) moves on an outward spiral centered at 0; the 
vector (a, b ) does the same except that it is offset by c. On average, the contribution from 
these spirals to q cancel out, so q decreases on average. This program has a 7-nested ranking 
function. 0 


4.3. The Piecewise Ranking Template. The piecewise ranking template formalizes a 
ranking function that is defined piecewise using affine-linear predicates to discriminate the 
pieces. 

Definition 4.14 (Piecewise Ranking Template). We define the k-piece ranking template 
with parameters D = {<5} and affine-linear function symbols F = {f \,..., /&, gi ,..., g &} as 
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follows. 

5 > 0 (4.12) 

k k 

A A A <0 V gfax) < 0 V /fax') < fa(x) - < 5 ) (4.13) 

i= 11=1 
k 

A f\ fi(x) > 0 (4.14) 

i— 1 
k 

a V - 0 ( 4 - 15 ) 

z=l 

We call the affine-linear function symbols {gi \ 1 < i < k} discriminators and the affine- 
linear function symbols {fa | 1 < i < k} ranking pieces. 

The disjunction (14.15P states that the discriminators cover all states; in other words, the 
piecewise defined ranking function is a total function. Given the k different pieces 
and a state x, we use fa as a ranking function only if gfax) > 0 holds. This choice need not 
be unambiguous; the discriminators may overlap. If they do, we can use any one of their 
ranking pieces. According to (14.141) . all ranking pieces are positive-valued and by (14.131) . 
ranking piece transitions are well-defined: the rank of the new state is always less than the 
rank of any of the ranking pieces assigned to the old state. 

Example 4.15. Consider the following linear loop program. 

(g > 0 A p > 0 A q < p A q' = q — 1) 

V (g > 0 A p > 0 A p < q A p' = p — 1) 

In every loop iteration, the minimum of p and q is decreased by 1 until it becomes negative. 
Thus, this program is ranked by the 2-piece ranking function constructed from the ranking 
pieces fa (p, q) = p and f 2 {p, q) = q with step size 5 = 1/2 and discriminators g±(p, q) = q—p 
and gfajP q) = p — q. Moreover, this program does not have a multiphase or lexicographic 
ranking function: both p and q may increase without bound during program execution due 
to non-determinism and the number of switches between p and q being the minimum value 
is also unbounded. 0 

Theorem 4.16. The k-piece ranking template is a linear ranking template. 

Proof. The A:-piece ranking template conforms to the linear ranking template’s syntactic 
requirements. Let n be an assignment to the parameter 5 and the affine-linear function 
symbols F of the A;-piece template TV p ; ece be given. Consider the following ranking function 
with codomain uj. 

p(x) := max { fa(x) \ g t (x) > 0} (4.16) 

The function p is well-defined, because the set {fa(x) \ gfax) > 0} is not empty according 
to (14.151) . Let ( x,x') G ^(Tfc_ piece ) and let i and j be indices such that p(x) = fa(x) and 
p(x') = fj(x'). By the definition of p , we have that gfax) > 0 and gj(x') > 0, and (14.131) 
thus implies fj(x') < fi(x) — 5. Using (14.141) . we prove analogously to ILcmnia - 3.91 that this 
entails fj(x') < fa(x) and therefore p{x') < p(x). ILemma 3.51 now implies that ^(Tfc_ p i ece ) is 
well-founded. □ 
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4.4. The Lexicographic Ranking Template. Lexicographic ranking functions consist 
of lexicographically ordered components of affine-linear functions. A state is mapped to 
a tuple of values such that the loop transition leads to a decrease with respect to the 
lexicographic ordering for this tuple. Therefore no function may increase unless a function 
of a lower index decreases. Additionally, at every step, there must be at least one function 
that decreases. 

There are different definitions of lexicographic ranking functions in circulation fADFGlOt 
IBAG131IBMS05a] : a comparison can be found in (BAG131 Sec. 2.4], Each of these definitions 
for lexicographic linear ranking functions can be formalized using linear ranking templates. 
Here we are following the definition of [ADFGIO] . This definition is the weakest, but for 
the other definitions the ranking template has an exponentially larger CNF, and hence our 
method performs comparatively poorly on them. 

Definition 4.17 (Lexicographic Ranking Template). We define the k-lexicographic rank¬ 
ing template with parameters D = {<5i,..., 5*,} and affine-linear function symbols F = 
{/i, ■ ■ ■, fk} as follows. 


k 


f\Si >0 

i=l 

(4.17) 

k 

A /*( x ) > 0 

i=l 

k— 1 i— 1 

(4.18) 

A (/i(* / ) < fi{ x ) v V /jfaO < fj( x ) - S j) 

i= 1 i=l 

k 

(4.19) 

V M x> ) < M x ) ~ S i 

(4.20) 


Z— 1 


The conjunction (14.181) establishes that all lexicographic components fi, ■ ■ ■, fk have positive 
values. In every step, at least one component must decrease according to (14.201) . From (14.191) 
follows that all functions corresponding to components of larger index than the decreasing 
function may increase. 


Example 4.18. Consider the following linear loop program. 

(a>0Ab>5Aa' = aAb' = b — 1) 

V (a>0A6>0Aa / = o — 1 Ab' >0) 

When taking the first disjunct, b decreases until it becomes < 5. Hence we take the second 
disjunct eventually, decreasing a. Because a does not increase when taking the first disjunct, 
we can only take the second disjunct finitely many times. Since the second disjunct is always 
taken eventually, the program terminates. 

This is proved by the 2-lexicographic ranking function constructed from the components 
fi(a, b) = a and f 2 (a, b) = b. 0 


Note that the program from Example 4.18 does not have a multiphase ranking function 
and the program from Figure 1 on page [2] does not have a lexicographic ranking function. 
Thus the multiphase ranking template and the lexicographic ranking template are incom¬ 
parable in expressive power. 
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Theorem 4.19. The k-lexicographic ranking template is a linear ranking template. 

Proof. The ^-lexicographic ranking template conforms to the linear ranking template’s syn¬ 
tactic requirements. Let v be an assignment to the parameters D and the affine-linear 
function symbols F of the /c-lexicographic template TVi ex . Consider the following ranking 
function with codomain co k . 

k 

p(x) := • 7^) (4.21) 

2=1 

Let (x,x') 6 ^(TfcUex). From (14.181) follows fj{x) > 0 for all j , so p(x) > 0. By (14.201) and 
ILcmma 3.91 there is a minimal i such that fi(x') < fi(x). According to (14.191) . we have 
fi(x') < fi(x) and hence inductively fj(x') < fj{x) for all j < i, since i was minimal. 

p{x') = ' • /,(/) < Y“ k ~ j ' ?■(*) ' $>* 7 ' 

j = 1 i =1 3=i 

2—1 

< Y uk ~ 3 ' fj( x ) +Ljk ~ l • /*( x ) - p( x ) 

Therefore ILemma 3.51 implies that ^(Tfc_i ex ) is well-founded. □ 

4.5. The Parallel Ranking Template. The parallel ranking template targets programs 
that do multiple tasks in parallel where progress on each task can be nondeterministic. 
These tasks have no predetermined order of execution. We assume that each task can be 
ranked by an affine-linear ranking function. 

Definition 4.20 (Parallel Ranking Template). We define the k-parallel ranking template 
with parameters D = {5i,... , <5fc} and affine-linear function symbols F = {/i, • • •, fk } as 
follows. 

k 

f\5i>0 (4.22) 

2—1 
k 

A A /*( x/ ) - /*( x ) ( 4 - 23 ) 

2=1 

k 

A V (l*( x ) > 0 A M x 0 < M x ) - 4*) (4.24) 

2=1 

The ranking functions f\..... /)■ correspond to k different tasks. The conjunction (14.231) 
states that none of the ranking functions may increase at any point. Moreover, (14.241) 
states that with every transition, at least one task has to make progress and end in a finite 
number of steps. Note that (14.241) is not given in conjunctive normal form (CNF). When 
transformed in CNF, the number of conjuncts blows up exponentially. 

Example 4.21. Consider the following linear loop program. 

(a > 0 A a' = a — 1 A b' = b) 

V (b > 0 A b' = b — 1 A a' = a) 
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This programs performs two tasks nondeterministically in parallel: the first task takes a 
iterations and the second task takes b iterations; the program terminates once both tasks 
have been completed. The 2-parallel ranking function constructed from f\ (a,b) = a and 
/ 2 (a, b) = b proves this program terminating. 0 

Theorem 4.22. The k-parallel ranking template is a linear ranking template. 

Proof. The fc-parallel ranking template conforms to the linear ranking template’s syntactic 
requirements. Let u be an assignment to the parameters D and the affine-linear function 
symbols F of the Apparallel template Tfc_ para n e i. Consider the following ranking function 
with codomain uj. 

k 

P(x) :=^2fi{x) (4.25) 

1=1 

Let (x,x' ) € ^(T fc _p ara ii e i). From (14.231) follows /j(x') < /;( x) for all i, so f t (x r ) < fi(x). 
By (14.241) . there is a j such that fj(x ) > 0 and fj(x') < fj{x) — 5j. Therefore we have 
fj(x') < fj(x ) bv ILemma 3.91 Hence 
k 

p( x ') = Y = ?■(* o +Y ^ +Y fi( x ) < fj( x )+Y = p( x ^ 

i=l i^j i^j i^j 

Now lLcmma 3.51 implies that ^(Tfc_ para ii e i) is well-founded. □ 


5. Composition of Templates 

In this section we discuss how more powerful linear ranking templates can be constructed 
based on the linear ranking templates from ISection 41 First, we consider a program that is 
terminating, but whose termination cannot be proven using one of the ranking templates 
presented so far. 

Example 5.1. Consider the following linear loop program. 

(q>0Ay>0Ay' = y— 1 A q 1 = q Ax' = x) 

\/(q>0Ay<0Aq' = q — x Ax' = x + 1) 

When executing the first disjunct, y decreases until it becomes negative. Then we execute 
the second disjunct: we increment x, set y to some arbitrary value, and decrement q if x 
is positive. If y was reset to some positive value, the first disjunct is executed again, but 
the values of q and x do not change until the second disjunct is executed. Eventually, x 
is positive and from then on q is decremented until it is nonpositive; thus the program 
terminates. 0 

The program’s behavior resembles a lexicographic ranking function with q as the first 
component and y as the second. However, q is decremented only after x becomes positive: 
the first component needs 2 phases. We want a ranking template for a lexicographic ranking 
function that has multiphase ranking functions instead of affine-linear functions in every 
component. How can we construct a linear ranking template for such a ranking function? 
Observe that all of our linear ranking templates share the following subformulas. 

(i) f{x’) < f(x) 

(ii) f (x') < f{x) - 5 
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(iii) f{x) > 0 

In the context of ranking templates, these formulas have the following meaning. 

(i) The function / is non-increasing. 

(ii) The function / is decreasing. 

(iii) The codomain of the function / is well-founded. 

Here / is always an affine-linear function. The idea of template composition is to replace 
the subformulas (i—iii) with subformulas of the same meaning for more powerful functions. 
We next define triples of formulas that are suitable substituents for (i-iii), called composed 
template recipes. Afterwards, we will use composed template recipes to build new linear 
ranking templates. 

Definition 5.2 (Composed Template Recipe). A composed template recipe is defined re¬ 
cursively according to the following rules. 

(Cl) The PR template recipe (Tp^, t pri T pi?) * s a composed template recipe with 

t pr = f( x> ) < f( x ) 

t pr = f( x ') < f ( x ) - <5 A 5 > 0 

t pr = f( x ) > 0. 

(C2) The k-piece template recipe (T'f_ piece , T k- P iece’ T fc-°iece) is a composed template recipe 
with 

k kk 

T f-piece = V 3i( x ) > 0 A A A (#(*) < 0 V 9j( x ') < 0 V f 3 {x') < 
i= 1 i=l j=l 

kkk 

T fc_piece = 5 > 0 A V 9i( X ) > 0 A A A < 0 V 9j ( x 0 < 0 V fj(x') < fi(x) ~ d) 

i= 1 i=l j=l 

k 

T fc-piece = A > °' 

i= 1 

(C3) Given k composed template recipes (Tp, T^, T^ 0 ),..., (t|, t^, t^ - 0 ) which do not share 
any parameters or affine-linear function symbols, we can construct a composed tem¬ 
plate recipe (t-,t < ,t > 0 ) according to one of the following three composition rules. 


Composition rule 

T— 


T >o 

/c-phase 

/c-lexicographic 

^-parallel 

T f A V D^-l) 

All (TyVVAlA) 

A,; A 

A Ai>i« v T f-°i) 

Vi T f A Ati 1 (Tf v V}=1 T f) 

Ai Tf A Vi (Tf A T>°) 

V,T>° 

A,t>° 

ViT>° 


The intuition behind [Definition 5.21 is that we build composed templates recursively using 
PR template recipes (Cl) or A;-piece template recipes (C2) as the base case and plugging 
them into composition rules given in (C3). 

There is a composition rule for each linear ranking template presented in ISection 41 but 
the fc-piece ranking template and the /c-nested ranking template. We cannot define a k- 
piece or a /c-nested composition rule analogously, because not all of these ranking templates’ 
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atoms are of the form (i-iii) above: they also have atoms containing multiple affine-linear 
function symbols ( fi(x ') < fi(x) + /*_ \{x) in (14.111) and fj(x') < fi(x) — 5 in (14.131) 1. 

Given a composed template recipe (t-,t < ,t >0 ), we call the conjunction T < A T >0 
a composed template. The following theorem states that composed templates are linear 
ranking templates. 

Theorem 5.3. If (t-,t < ,t >0 ) is a composed template recipe, then the composed template 
t < A T >0 is a linear ranking template. 

The proof of ITheorem 5.31 is deferred to the end of this section. 

Example 5.4 (The £:-Phase Composition Rule). We apply the /c-phase composition rule to 
k PR template recipes. Let D := {5i \ 1 < i < k} be parameters and let F = {/,; | 1 < i < k} 
be affine-linear function symbols. For each i, we have three formulas t^ r i: T pR i , and T pp •. 
Using the fc-phase composition rule from IDcfinition 5.21 (C3), we get the composed template 
recipe (Tf_ phafle ,T< phase , T>° phase ) where 

k 

T f-phase = M X ') < /lO) A /\(fi( x ') < fi( x ) V > 0), 

i =2 

Tfc'-phase =fl( x> ) < fl( x ) ~ A (5i > 0 
k 

A /\m x ') < fi ( x ) - ^ A Si > 0) V fi-l(x) > 0), 

-i=2 

k 

T fc°phase = V ^ > °- 
i— 1 

Bv lTheorcm 5.31 T^_ phase A T^° phase is a linear ranking template. In fact, we already know 
this from ITheorem 4.41 because the formula t) 5 phase A T^_ phase is equivalent to the £:-phase 
ranking template. <0 


Remark 5.5. 

(i) Let (t-,t < ,t >0 ) be the fe-phase composition rule applied to k PR template recipes. 
Then the composed template T >0 A T < is equivalent to the £:-phase ranking template. 

(ii) Let (t— , T < , T >0 ) be the /c-lexicographic composition rule applied to k PR template 
recipes. Then the composed template T >0 A T < is equivalent to the /c-lexicographic 
ranking template. 

(iii) Let (t-, t < , t >0 ) be the fe-parallel composition rule applied to k PR template recipes. 
Then the composed template t >0 At < is equivalent to the /c-parallel ranking template. 


Proof. From [Definition 4.21 [Definition 4.171 and IDcfinition 4.201 


Next, we construct a composed template to prove termination of Example 5.1 


□ 


Example 5.6. We apply the £-lexicographic composition rule to I copies of the com¬ 
posed template recipe from Example 5.4 Let D := {Sij | 1 < i < k, 1 < j < £} be 


parameters and let F = {fij \ 1 < i < k, 1 < j < 1} be affine-linear function sym¬ 
bols. For each j, we apply the /c-phase composition rule to k PR template recipes as in 
Example 5.4, using the parameters Dj := {5ij | 1 < i < A;} and the affine-linear function 
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symbols Fj := {fij | 1 < i < k}. Let the resulting composed template recipe be de¬ 
noted (Tf_ phasej , T< phasej , T>° phasej ). Next, we apply the ^-lexicographic composition rule 
to the £ composed template recipes (T| phase j , T< phaseJ , T>° haseJ ) resulting in the composed 
template recipe (t^, tJ^, T^) where 

t / k 

T im = A < h,j( x ) A f\(kj( x ') < fi,j ( x ) v > 0)) 


3= 1 


1=2 


3 ~ 1 


V V (/bi( x 0 < ~ t A S ht > 0 

t= 1 

k \ 

A /\{(fi,t( x ') < ~ S i,t A <5i,t > 0) V > 0) H , 

i =2 / 

T lm = V A > 0 

3=1 V 

k \ 

A f - $i,j A S i,j > 0) V > 0) J 

i=2 / 

£-1 / k 

A A ( (/ljV) ^ /ij^O A /\(fi,j( x> ) < fi,j( x ) v fi-ij(x) > o)) 

1=1 V j=2 

J- 1 , 

V \/ yfi,t(x') < fi,t( x ) - 8i,t A <5i,t > o 

t=i 

A < fiA X ) ~ A S i,t > 0) V fi-l, t (x) > 0)) 

i=2 ) 

T lm = A V /m(^) > 0- 

j=l *=1 

By ITheorem 5.31 t 5 A Tj^ is a linear ranking template. 


0 


Example 5.7. Using the composed template recipe from Example 5.6, we can find a rank¬ 


ing function for Example 5.1 


fi,i(Q,x,y) = l-x 
f 2 ,i(q,x,y) = y 


fi, 2 (q,x,y) = q 

f2,2{g,x,y) = y 


0 


Proof of \Theorem 5.3X First, we need to check the syntactic requirements. This was already 
shown for the PR ranking template and the fe-piece ranking template. Any substitution 
is a boolean combination of parts of simpler templates, and the syntactic requirements for 
linear ranking templates allow for arbitrary boolean combinations of atoms. 

To show well-foundedness, we prove the following statement by induction over the 
recursive construction of the composed template recipes. We show that for all assignments 
v to the parameters and affine-linear function symbols, we find a function p : E —> a from 
the program states E to some ordinal a such that 
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(i) v{t-)(x,x') implies p{x') < p(x). 

(ii) i/(t < )(x, x') and p(x) > 0 imply p(x') < p(x). 

(iii) p(t >0 )(x, x') implies p(x) > 0. 

For the base case, we have a PR template recipe or a /c-piece template recipe, and we get a 
ranking function />:£—>■ uj. Claims (ii) and (iii) follow from ILcmma 370] and [Theorem 4.161 
For the PR template recipe, claim (i) holds because f(x') < f(x) implies f(x') < f(x). For 
the /c-piece template recipe, we prove this analogously to the proof of ITheorem 4.161 using 
fi{x') < fi(x ) instead of fi(x') < fi(x ) - 6. 

For the induction step, assume that claims (i-iii) hold for the composed template recipes 
(Tp, T<, T^ 0 ), ..(Tp, T^, T^°). Thus for every i = l...k, we have a ranking function 
Pi : £ —> oti with ordinal Oj as codomain. We consider the three inductive cases in turn. 

• k-phase: We define the ranking function 


p(x) 


a j + Pi ( x ) ^ Pj ( x ) = 0 f° r a ii 3 < * an d Pi{x) > 0, 
0 otherwise. 


Let (x,x') £ i'(t-), and let i be the current phase, i.e., Pi{x) > 0 and Pj{x) = 0 for all 
j < i. For all j < i, we have (x,x') € p(t j) and (x,x') ^ p(tL°) by inductive hypothesis, 

and hence Pj(x') < Pj{x) = 0. Therefore we obtain ( x,x') € i/(t f) and hence Pi{x') < 
Pi(x ) (note the subscript i instead of j), which implies p(x') < p{x) in case Pi{x') > 0. 
Otherwise we have a phase transition and thus p(x') = 0 < p{x) or i < k. In the latter 
case, we know pi + i(x') < ctj+i, and hence p(x) > ^j=i a j > Y?j =1 a j + Pi- 2 ( x> ) = p( x ')- 
For (x,x') £ z/(t<), we analogously get Pi{x') < pi{x) and hence p(x') < p(x). For 
(x,x') £ i/( T >0 ), we have that pi(x) > 0 for some i and hence p(x) > 0 by the induction 
hypothesis. 

• k-lexicographic. We define the ranking function 

k k 

p(x) ■= Pi(x) II a r 

i= 1 j=i -\-1 

Let (x, x') £ i/(t— ). If (x,x r ) £ u(t f) for all i, then we get Pi(x') < pi(x) by the 
induction hypothesis, and hence p(x') < p(x). Otherwise there is an n < k such that 
(x,x') £ z/(t<) and (x,x') £ i/(tj) for all j < n. By the induction hypothesis, we 
obtain p n (x') < p n (x ) and pj(x') < Pj(x) for all j < n. Since Pi{x') < we have 
njU+i a j > Etn+1 PiW) ri j=i +1 Uj and thus 

k k 

p( x ) =J2pi(x) II a i 

i=l j=i -\-1 

f n—1 k \ / k 

^ 2 pi(x) n a 3 + pn ^> n a i 

i= 1 j=i- 1-1 J y j=n -\-1 

n —1 k \ / k \ k 

j>o«o n a 3 + - f) n ) + n ^ 

2=1 _ 7 = 2 +l / \ j=n +1 / ^‘=72+1 
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' n —1 


> ^Zpi(x) JJ aj + (Pn(x) - 1) n aj I + [ Pi( x ') n 


i= 1 j=i -\-1 

f n —1 k 


j=n +1 


^z=n+l j=i+l 

k 


> Y pi ^ n “j + n “j + s ^( x/ ) n 


ao 


i=l 


j=i +1 


j=n+l 


, z=n+l 


j=»+i 


= pO')- 


For (x,x') £ i / (t < ), we proceed analogously except that the case (x,x') £ i/(t f) for all 
i cannot occur. For (x,x') € i/(t >0 ), we get Pi(x) > 0 by the induction hypothesis, thus 
p(x) > 0. 

• k-parallel: We define the ranking function 

k 

p( x ) -=Y pi ^- 

i =1 

For (x,x') € t'(T-), we have that pi{x') < Pi(x) for all i by the induction hypothesis, 
and hence p(x') < p(x). For (x,x') £ u(t < ), we again have by the induction hypothesis 
that pi(x') < pi(x) for all i, and that there is an i such that pi(x') < pi(x). Therefore we 
obtain p(x') < p(x). For (x,x') £ i/(t >0 ), we have that there is an i such that Pi(x) > 0 
by the induction hypothesis, therefore p(x) > 0. 

This completes the induction. To finish the proof, we note that according to claim (ii) and 
(iii), p is a ranking function for z^(t < At >0 ), and bv ILemma 3.5l this implies that i/(t < At >0 ) 
is well-founded. □ 


Although the procedure introduced in this section allows for an infinite number of 
different ranking templates, it is not exhaustive. We expect that there are many more types 
of ranking functions that can be formalized using linear ranking templates, and possibly 
also composed with other templates. 


6. Synthesizing Ranking Functions 


Following related approaches [ADFGinilBMSn5allBMSn5bllCSSn3llHHLP13llPRH4al|RyblO 
ISSM04] . we transform the 3V-constraint (13.21) into an 3-constraint. This transformation 


makes the constraint more easily solvable not only because we remove universal quantifi¬ 
cation, but also because it reduces the number of nonlinear operations in the constraint. 
Every application of an affine-linear function symbol / corresponds to a nonlinear term 
s^x + tf where Sf is a vector of real-valued parameters and tf is a real-valued parameter. 
For this step, we need the following theorem. 


6.1. Motzkin’s Transposition Theorem. Intuitively, Motzkin’s transposition theorem 
states that a given system of linear inequalities has no solution if and only if a contradiction 
can be derived via a positive linear combination of the inequalities. 
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Theorem 6.1 (Motzkin’s Transposition Theorem }Sch99[ Cor. 7.1k]). For A £ K mxn ; 
C £ K^ xn ; b £ lK m ; and d £K l , the formulas (1M1D and (IM2|i are equivalent. 

\/x £ IK n . -i(4i < b A Cx < d) (Ml) 

3A £ 3/i G K l . A > 0 A n > 0 

A A T A + //C = 0 A A t 6 + [i T d < 0 (M2) 

A (A r 6 <0 V /i / 0) 

If £ is set to 1 in lTheorem 6.11 we obtain the affine version of Farkas’ lemma |Sch99L Cor. 
7.lh]. Therefore IMotzkin’s theoreml is strictly superior to Farkas’ lemma, as it allows for 
a combination of both strict and non-strict inequalities. Moreover, it is logically optimal 
in the sense that it enables the transformation of any purely universally quantified (II) 1 ) 
formula from the theory of linear arithmetic. 


6.2. Constraint Transformation. We fix a linear loop program loop and a linear ranking 
template T with parameters D and affine-linear function symbols F. For simplicity of 
presentation, we assume the loop program LOOP does not contain any strict inequalities, 
and the ranking template T does not contain any non-strict inequalities; however, recall that 
we are using IMotzkin’s theoreml instead of Farkas’ lemma precisely to lift this restriction. 
For the fully general constraints, see (LeiLit Ch. 5]. We write loop in disjunctive normal 
form and T in conjunctive normal form: 

loop(z,x') = \j A(x') < h 
ie/ 

t(x,x') = /\ \/ T jA x ’ x> ) = A V f JAx') > e j,i 

jeJ ieLj j&J l&Lj 

We prove the termination of loop by solving the constraint (13.21) . This constraint is im¬ 
plicitly existentially quantified over the parameters D and the parameters corresponding to 
the affine-linear function symbols F. 



First, we transform the constraint (16.11) into an equivalent constraint of the form required 
bv IMotzkin’s theoreml 


A A Vx ’ x/ - 

ieijeJ 



( 6 . 2 ) 


Now, Motzkin’s Transposition theorem transforms the constraint (16.21) into an equivalent 
existentially quantified constraint: 


A A 3A ^ 0 > 0. X T Ai + CtlJ/ — 0 A A T bi + Ce e j ,t < 0 (6-3) 

iei jeJ teLj t&Lj 

For every inequality in (IMlj) , a new existentially quantified variable is added in (|M2I) . These 
new existentially quantified variables are called Motzkin coefficients. 
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Input: linear loop program loop and a list of linear ranking templates T 
Output: a ranking function for LOOP or null if none is found 

foreach T€T do: 

let tp = \/x,x'. (loop(x,x') —>• t(x,x')) 
let = transformWithMotzkin (tp) 
if SMTsolver . checkSAT (if ): 

let (D , F) = T. getParameters () 
let v = get Assignment (ip , D , F) 
return T. extractRankingFunction (v) 
return null 

Figure 2: Our ranking function synthesis algorithm described in pseudocode. The function 
transformWithMotzkin transforms the 3V-constraint (p into an 3-constraint ip as 
described in ISubsection 6.21 The ranking function is extracted from an assign¬ 
ment of the template with the function extractRankingFunction. This function 
returns a description of the ranking function depending on the template; for ex¬ 
ample the ordinal-based representation from the proofs. 


The 3-constraint (16.311 is then checked for satisfiability. If an assignment is found, it 
gives rise to a ranking function. Conversely, if no assignment exists, then there cannot be 
an instantiation of the linear ranking template and thus no ranking function of the kind 
formalized by the linear ranking template exists. In this sense our method is sound and 
complete. 

Theorem 6.2 (Soundness). If the transformed 3-constraint (|6.3I) is satisfiable, then the 
linear loop program terminates. □ 

Theorem 6.3 (Completeness). If the 3V -constraint (|3.2D is satisfiable, then so is the trans¬ 
formed 3-constraint & □ 


6.3. Ranking Template Pools. Our method for ranking function synthesis can be ap¬ 
plied as follows. We fix a finite pool of linear ranking templates T, consisting of multiphase, 
nested, piecewise, lexicographic, and parallel ranking templates as well as composed tem¬ 
plates in various sizes. The input is a linear loop program loop that we want to check for 
termination. We start by picking a linear ranking template T from the pool 73 From the 
ranking template T we build the constraint ()3.2I) to the parameters and affine-linear function 
symbols of T. This constraint is transformed using IMotzkin’s theoreml to an 3-constraint 
()6.3I) . If this constraint is satisfiable, this gives rise to a ranking function according to 
ILemma 3.51 and thus we proved that the loop program loop terminates. Otherwise, we try 
again using the next linear ranking template from the pool T until the pool has been ex¬ 
hausted. If the pool has been exhausted, the proof of the loop program loop’s termination 
failed. However, due to the completeness of our method, we know that the loop program 
loop does not have a ranking function of the form specified by any of the linear ranking 
templates in the pool. Figure 2 is a description of our method in pseudocode. 
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7. Linear Lasso Programs 


Our method extends to the more general setting of 
linear lasso programs. These are linear loop programs 
that have a program stem in addition to the loop 
(see Figure 3). We use affine-linear inductive invari¬ 
ants to extract the information that is crucial for 
the termination proof from the stem. This is in line 
with related approaches [CSS031 ISSM041 IBMS05al 
IHHLP13j . 


STEM 



LOOP 


Figure 3: A lasso program. 


Definition 7.1 (Linear Lasso Program). A linear lasso program P = (stem, loop) consists 
of 

• a linear loop program loop, and 

• a predicate stem, defined by a formula with the free variables x of the form 

\J ( AiX < bi A CiX < di) 

i&I 

for some finite index set I, some matrices £ K nxmi , Ci £ K nxki , and some vectors 
bi £ and di £ 

The linear lasso program P is called conjunctive iff there is only one disjunct in both 
transitions stem and loop. 


Definition 7.2 (Affine-Linear Supporting Invariant). A formula ip is an affine-linear sup¬ 
porting invariant for the linear lasso program P iff there is an affine-linear function / such 
that 

ip{x) = f(x) O 0 

with [> £ {>,>}, and the following two formulas hold. 

Van stem(x) -a- ip(x) (II) 

Vx,a/. ip(x) A LOOP(x,a/) —> f){x') (IC) 

The affine-linear supporting invariant ip is strict iff > is > and non-strict otherwise. 


Given a linear lasso program, we do the same transformation steps as in ISubsection 6.2l 
adding a finite number of supporting invariants: 

Vx, x'. LOOP(x, x') A /\ipi(x) —> t(x, x') 
i 


In fact, every conjunct in (16.2p gets m supporting invariants: 

( m 

Ai( x x ,)<bi A (/\ 'ipi,jA x )) A ( A ^ T iA x ’ x ' 

t =1 £eLj 

To insure that the tpijA x ) are indeed supporting invariants, we add the constraints (ED and 
m for each ( i,j ,£) £ IxJx{ 1,... , m). Each of these constraints is then transformed using 
IMotzkin’s thcorenrl analogously to ISubscction 6.21 Not all invariants are inductive and we 
only consider invariants that are affine-linear inequalities. We do not retain completeness 
of our method in the sense of ITheorem 6.31 
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The invariant initiating (fUll is a linear constraint, but the invariant consecution m 
is nonlinear. We could make (1ICD linear by restricting ourselves to non-decreasing invari¬ 
ants (HHLP131 . However, the overall constraints are generally still nonlinear because the 
constraints that come from the linear ranking template are generally nonlinear. 


8. Related Work 


Synthesis of linear ranking functions for linear loop programs was first discussed by Colon 
and Sipma [CSOlj . This was extended to a complete template-based method by Podelski and 
Rybalchenko jPR04al RyblO], using the PR ranking template as discussed in Example 3.2 


Their method is not complete over the integers. Cook et al. |CKRW 13] compute the integral 
hull of transition relations in order obtain the same completeness for integers and bitvectors. 
Bagnara and Mesnard generalize the PR ranking template to the 2-phase ranking template, 
relying on nonlinear constraint solving [BM13| . 

Bradley, Manna, and Sipma propose a constraint-based approach for linear lasso pro¬ 
grams |BMS05aj . Their termination argument is a lexicographic ranking function with each 
lexicographic component corresponding to one loop disjunct. This requires nonlinear con¬ 
straint solving and an ordering on the loop disjuncts. The authors extend this approach in 
|BMS05b] by the use of template trees. These trees allow each lexicographic component to 
have a ranking function that decreases not necessarily in every step, but eventually. 

Ben-Amram and Genairn discuss the synthesis of affine-linear and lexicographic ranking 
functions for linear loop programs over the integers [BAG13] . They prove that this problem 
is generally co-NP-complete and show that several special cases admit a polynomial time 
complexity. 

In [CFM12i| the authors also address the problem of finding termination arguments for 
(not necessarily conjunctive) linear loop programs. In contrast to our work, the authors do 
not synthesize the termination argument directly. Instead, they iteratively synthesize linear 
ranking functions and obtain a disjunctively well-founded relation |PR04b| as a termination 
argument. 

Approaches for computing lexicographic linear ranking functions for a more general 
class of programs, namely programs that can consist of several (potentially nested) loops 
are presented in |ADFG10j and |CSZ13j . On linear loop programs, both algorithms involve 
choosing an ordering on the loop disjuncts. Hence, both approaches are either incomplete 
or have to use backtracking to iteratively consider all possible orderings of loop disjuncts. 

Our method is not able to prove termination for all terminating linear loop programs. 
Termination is decidable for the subclass of deterministic conjunctive linear loop programs 
of the form 


while (B s x > b s A B w x > b w ) x : = Ax + c ; 

where the matrices B s , B w , A and vectors b s , b w , c are rational, and variables can take on 
rational or real values |Tiw04] . This class also admits decidable termination analysis over 
the integers for the homogeneous case where b s ,b w ,c = 0 }Bra06] . However, their method 
is not targeted at the synthesis of ranking functions. 

Ranking functions can also be computed via abstract interpretation CCJ.2 . Urban 
and Mine (Urbl3l IUM14al IUM14bj introduced the domain of piecewise defined ordinal¬ 
valued functions for this approach. In contrast to our work, their approach is applicable to 
programs with arbitrary structure and not restricted to linear lasso programs. However, the 
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Parameters 
Function symbols 
Conjuncts 
Atoms 


PR fc-phase fc-nested 
"1 k 1 

lk k 

3 2k+ 1 k + 2 

3 4k — 1 k + 2 


fc-piece 

I 

2k 

k 2 + k + 2 
3 k 2 + 2k+l 


/c-lexicographic 


k 
k 
3 k 

(5k 2 + k)/2 


/c-parallel 

k 

k 

2 k + 2k 
k2 k + 2k 


Table 1: Statistics of our linear ranking templates in CNF; the integer k specifies their size. 

Every affine-linear function symbol constributes n +1 parameters to the template, 
where n is the number of program variables. 


authors do not provide completeness results that state that a ranking function of a certain 
form can always be found. 


9. Conclusion 

We presented a sound and complete method for constraint-based synthesis of ranking func¬ 
tions for linear loop programs. For this method, we introduced the notion of linear ranking 
templates , which are parameterized formulas for well-founded relations. In ISection Tjl we 
established how they can be applied to prove termination (ILemma 3.311 and that an in¬ 
stantiation of a linear ranking template gives rise to a ranking function (jLemma 3.51) . Our 
method can be applied to different kinds of ranking functions that previously have been 
considered independently (affine-linear and lexicographic ranking functions), in addition to 
enabling new kinds (multiphase, piecewise, and parallel ranking functions). The ranking 
templates can also be composed into more powerful templates, allowing for more general 
ranking functions. See lTablc 11 for statistics on the size of our ranking templates. 

Our method can be applied to linear loop programs and linear lasso programs with 
variables that are rational numbers, real numbers, or integers. In general, it requires solving 
nonlinear algebraic constraints, but some linear ranking templates such as the PR ranking 
template or the nested ranking template only require linear constraint solving. 
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